oreilly.comSafari Books Online.Conferences.


Linux Kernel Problems; SSH Design Flaw

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at a system call problem and a race condition in the Linux kernel; buffer-overflow problems in SSH-1 and XMail; denial-of-service vulnerabilities in BIND 9.0.1 and ProFTPD; string format problems in man; design flaws in wireless networking security code; and temporary file problems in FreeBSD's sort.

Linux kernel problems

Two problems have been reported in the Linux kernel: a problem with the syctl() system call and a race condition. The sysctl() system call can be used to read large areas of kernel memory by passing it a negative offset. The race condition can be used to modify a running setuid process using ptrace.

Both problems have been fixed in the 2.2.19pre9 kernel. Users are advised to check with their vendor for updated kernel packages.


Alerts for this week:

Linux kernel problems


BIND 9.1.0




802.11 WEP

Chili!Soft ASP

FreeBSD sort

Problems reported this week for SSH (secure shell) include: a buffer-overflow in version 1 of sshd, a buffer-overflow in the Kerberos ticket handling code in the SSH AFS/Kerberos v4 patches for SSH 1.2.2x, and a design flaw in the SSH 1.5 protocol.

The buffer-overflow in version 1 of SSHD can be exploited to gain root privileges. This vulnerability is present in most SSHD implementations including: SSH2 2.x with SSH1 fallback support, SSH1 1.2.x versions newer than 1.2.24, F-Secure SSH 1.3.x, OpenSSH prior to 2.3.0 (with version 1 support enabled), OSSH 1.5.7, and others that are derived from SSH1 or OpenSSH. Versions that are not vulnerable include OpenSSH 2.3.0, Cisco SSH, and LSH.

The buffer-overflow in the SSH AFS/Kerberos v4 patches to SSH 1.2.2x can be exploited remotely and used to gain root privileges. Users should upgrade to OpenSSH 2.3.0 or newer.

The design flaw in the SSH protocol version 1.5 can be used to recover session keys from an encrypted SSH session. The session key can then be used to decrypt the recorded session or potentially alter a live session. This vulnerability is present in OpenSSH but it is not possible to exploit it. SSH-1 versions up to version 1.2.31 are vulnerable.

It is recommended that you upgrade your SSHD to SSH-2 or a patched version of SSH-1 as soon as possible.

BIND 9.1.0

The BIND 9.1.0 name server can be crashed under certain conditions by a network scan. The crash is caused by a kernel bug in the accept() system call. It is unclear which kernels are affected.

The ISC (Internet Software Consortium) has released BIND version 9.1.1rc1. This version contains work arounds that cause BIND to log errors instead of crashing. If you are being affected by this problem, you should upgrade to 9.1.1rc1.


The man page-reader program has a format string vulnerability. Exploits of this vulnerability fall into the following sets: man is installed setuid root, man is installed setuid man, or man is installed setgid man.

If man is installed setuid root, the vulnerability may be exploitable to gain root privileges. Some distributions install a suid root wrapper program that drops root privileges before executing the real man program, these distributions have not been reported as being vulnerable.

With setuid man binaries, the vulnerability can be exploited to gain the permissions of the man user ID. The attacker can then overwrite the man binaries with an arbitrary program. A script has been released that exploits this vulnerability.

In setgid binaries the vulnerability can be exploited to become a member of the "man" group. This can be used to write files in the /var/man/cache directory, which may present security problems.

Users should check with their vendor for updated man packages.


XMail is a Internet mail server that supports SMTP, POP3, and more. It has a buffer-overflow in the CTRLServer daemon. This buffer overflow can be exploited by a remote user to execute arbitrary code with the permissions of the user running XMail.

Currently, there has not been a patch released. The author of XMail, Davide Libenzi, has announced that the next version (0.68) will have this problem fixed. A potential work around until the patch is released is to block access to CTRLServer with a firewall.


ProFTPD, a popular FTP daemon, has two memory leaks that can be used in a denial-of-service attack and a minor format string vulnerability. The memory leaks are caused by executing the SIZE and USER commands. The SIZE command only leaks memory when there is not a scoreboard file. It is very difficult if not impossible to exploit the format string vulnerability. These vulnerabilities exist in all 1.2.0 test releases prior to 1.2.0rc3.

Users should upgrade to ProFTPD version 1.2.0.rc3 or newer.

802.11 WEP

802.11, the standard for wireless communication networks, uses WEP (Wired Equivalent Privacy) to provide protection from eavesdropping. Flaws have been found in the WEP protocol that can be used in several passive and active attacks to decrypt the wireless communications.

It is recommended that users of an 802.11 network not rely on WEP to protect the privacy of their communications, but use additional security measures.

Chili!Soft ASP

The Chili!Soft ASP package allows Unix web servers to run ASP (Active Server Pages). There is a bug in Chili!Soft that can cause a script to retain group root privileges during execution. For this to occur Chili!Soft ASP must be running in inherited security mode. The vulnerability has only been tested under Red Hat Linux and it is not known if other distributions of Linux are affected.

Chili!Soft is planning to fix this bug in version 3.6. Until this version is released it is recommended that you change Chili!Soft's security mode to defined and specify a user and a group for the package to run under.

FreeBSD sort

FreeBSD's sort, an application that sorts lines of text, creates easily predictable temporary files. By exploiting this vulnerability a malicious user can cause sort to crash. This could be used to disable system reporting and management scripts.

It is recommended that users upgrade their system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-STABLE; or download the patch to bring sort to version 4.1.1.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: